IMHO the main selling feature of PAM has been 'whenever you want to
upgrade to serious authentication like smartcards or biometrics, you'll
need PAM and you'll learn that PAM is the proper method'.
no, I think it is "reconfigure / add module in one central place".
earlier you would have needed to change and recompile login, sshd, xdm,
xscreenlock and other apps, and that isn't nice.
but to be honest: I think smart cards are too complex to be handled
with pam. sure, a simple limited pam module works, but for advanced
features a special chooser would be much nicer.
examples of advanced features:
* list smart card readers and card status
* let people know about the secure input led, so they check it is on
(i.e. with pinpad readers, make sure people enter the pin to the
card, and not with "INPUT" commands read by the pc).
* display card info like name, photo id, whatever.
* allow people to select the account they want to login (list thoses
the cards is valid for - some people might see that as a security
issue, if it is done before authentication).
* allow people to unblock the pin - blocked pins happen and it is a
problem if people can't unblock it with the puk.
* (optional) leave the card in verified state, so network connections,
crypto partitions and other stuff can be used without re-entering
the pin.
* lock screen if card is removed.
* same features in xdm&friends and xlock&friends.
pam is not suited to these advanced features. but neither is pkcs#11
I fear, nor the opensc code, not the "library model" (as opposed to
a daemon/agent model).
back to the original issue: what can we (easily) add to the pam_p11
module to make max. number of users happy? please file new tickets.
will try to implement (mostly as options).
Regards, Andreas
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
